Closed Bug 130841 Opened 22 years ago Closed 22 years ago

ORBZ.ORG has blackholed 207.200.81.216 (mothra.mozilla.org)

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Type:
task
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: vecchioc, Assigned: daruszka)

References

(
URL
)

Details

orbz has blackholed 207.200.81.216 (mothra.mozilla.org). The mails from bugzilla
are classified spam.
According to that site, mothra is an open relay - its nothing to do with
bugzilla mails being spam.

-> server operations, critical
Assignee: endico → daruszka
Component: Bugzilla: Other moz.org Issues → Server Operations
QA Contact: myk → endico
Either this is fixed already or they're full of it.

dave@pismo [19:43 ~ 151] tcsh> telnet 207.200.81.215 25
Trying 207.200.81.215...
Connected to 207.200.81.215.
Escape character is '^]'.
220 gila.mozilla.org ESMTP Howdy! You got mail? Sendmail 8.10.0/8.10.0
helo chartermi.net
250 gila.mozilla.org Hello 24.247.101.145.gha.mi.chartermi.net [24.247.101.145],
pleased to meet you
mail from:<justdave@novagate.com>
250 2.1.0 <justdave@novagate.com>... Sender ok
rcpt to:<justdave@syndicomm.com>
550 5.7.1 <justdave@syndicomm.com>... Relaying denied
quit
221 2.0.0 gila.mozilla.org closing connection
Connection closed by foreign host.
ok, let's try repeating that test with the correct IP address....

dave@pismo [20:02 ~ 152] tcsh> telnet 207.200.81.216 25
Trying 207.200.81.216...
Connected to 207.200.81.216.
Escape character is '^]'.
220 mothra.mozilla.org ESMTP Sendmail 8.9.3+Sun/8.9.1; Thu, 14 Mar 2002 17:06:49
-0800 (PST)
helo chartermi.net
250 mothra.mozilla.org Hello 24.247.101.145.gha.mi.chartermi.net
[24.247.101.145], pleased to meet you
mail from:<justdave@novagate.com>
250 <justdave@novagate.com>... Sender ok
rcpt to:<justdave@syndicomm.com>
550 <justdave@syndicomm.com>... Relaying denied
quit
221 mothra.mozilla.org closing connection
Connection closed by foreign host.


OK, they're still full of it. :-)
OK, they're not full of it.  It's a multi-stage thing.  I just successfully
exploited it.

FWIW, ywing.aoltw.net is on the "outputs" list for the same reason.

dave@pismo [20:04 ~ 153] tcsh> telnet 207.200.81.216 25
Trying 207.200.81.216...
Connected to 207.200.81.216.
Escape character is '^]'.
220 mothra.mozilla.org ESMTP Sendmail 8.9.3+Sun/8.9.1; Thu, 14 Mar 2002 17:15:41
-0800 (PST)
helo chartermi.net
250 mothra.mozilla.org Hello 24.247.101.145.gha.mi.chartermi.net
[24.247.101.145], pleased to meet you
mail from:<bugzilla-daemon@mozilla.org>
250 <bugzilla-daemon@mozilla.org>... Sender ok
rcpt to:<@mozilla.org:justdave@syndicomm.com>
250 <@mozilla.org:justdave@syndicomm.com>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
To: justdave@syndicomm.com
From: bugzilla-daemon@mozilla.org
Subject: Relay test

blah blah test test
.
250 RAA27289 Message accepted for delivery
quit
221 mothra.mozilla.org closing connection
Connection closed by foreign host.



Return-Path: <bugzilla-daemon@mozilla.org>
Received: from ywing.netscape.com (ywing.aoltw.net [204.29.187.151])
	by sheridan.syndicomm.com (8.11.6/8.11.6) with ESMTP id g2F1EJ104256
	for <justdave@syndicomm.com>; Thu, 14 Mar 2002 17:14:19 -0800
Received: from mothra.mozilla.org (mothra.mozilla.org [207.200.81.216])
	by ywing.netscape.com (8.10.0/8.10.0) with ESMTP id g2F1BNg05455
	for <@mozilla.org:justdave@syndicomm.com>; Thu, 14 Mar 2002 17:11:23 -0800 (PST)
Received: from chartermi.net (24.247.101.145.gha.mi.chartermi.net [24.247.101.145])
	by mothra.mozilla.org (8.9.3+Sun/8.9.1) with SMTP id RAA27289
	for <@mozilla.org:justdave@syndicomm.com>; Thu, 14 Mar 2002 17:16:00 -0800 (PST)
Date: Thu, 14 Mar 2002 17:16:00 -0800 (PST)
From: bugzilla-daemon@mozilla.org
Message-Id: <200203150116.RAA27289@mothra.mozilla.org>
To: justdave@syndicomm.com
Subject: Relay test
X-UIDL: h`'!!FSo"!oCA"!==^!!

blah blah test test

mothra has been changed to send emails out directly to avoid other relays to go
to the blacklists because of it. I don't see ywing on orbz list.
dave@pismo [22:18 ~ 151] tcsh> telnet mothra.mozilla.org 25
Trying 207.200.81.216...
Connected to mothra.mozilla.org.
Escape character is '^]'.
220 mothra.mozilla.org ESMTP Sendmail 8.9.3+Sun/8.9.1; Thu, 14 Mar 2002 19:21:11
-0800 (PST)
helo chartermi.net
250 mothra.mozilla.org Hello 24.247.101.145.gha.mi.chartermi.net
[24.247.101.145], pleased to meet you
mail from:<bugzilla-daemon@mozilla.org>
250 <bugzilla-daemon@mozilla.org>... Sender ok
rcpt to:<@mozilla.org:justdave@syndicomm.com>
250 <@mozilla.org:justdave@syndicomm.com>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
To: justdave@syndicomm.com
From: bugzilla-daemon@mozilla.org
Subject: Relay Test

blah blah test test
>.
250 TAA08379 Message accepted for delivery
quit
221 mothra.mozilla.org closing connection
Connection closed by foreign host.

Return-Path: <bugzilla-daemon@mozilla.org>
Received: from gila.mozilla.org (gila.mozilla.org [207.200.81.215])
	by sheridan.syndicomm.com (8.11.6/8.11.6) with ESMTP id g2F3Jw108516
	for <justdave@syndicomm.com>; Thu, 14 Mar 2002 19:19:58 -0800
Received: from mothra.mozilla.org (mothra.mozilla.org [207.200.81.216])
	by gila.mozilla.org with ESMTP id g2F3P6515258
	for <@mozilla.org:justdave@syndicomm.com>; Thu, 14 Mar 2002 19:25:06 -0800 (PST)
Received: from chartermi.net (24.247.101.145.gha.mi.chartermi.net [24.247.101.145])
	by mothra.mozilla.org (8.9.3+Sun/8.9.1) with SMTP id TAA08379
	for <@mozilla.org:justdave@syndicomm.com>; Thu, 14 Mar 2002 19:21:34 -0800 (PST)
Date: Thu, 14 Mar 2002 19:21:34 -0800 (PST)
From: bugzilla-daemon@mozilla.org
Message-Id: <200203150321.TAA08379@mothra.mozilla.org>
To: justdave@syndicomm.com
Subject: Relay Test
X-UIDL: me-!!h(i"!TKf!!-m5!!

blah blah test test


OK, so now it's using gila for a relay instead of ywing...
Since its mothra which is on the blacklists, that may not help, unless it 
doesn't show up in teh received line at all.

Its mothra which is the problem - ywing is correctly relaying mail from within 
its own network.
correct.  mothra needs to be configured to not accept any incoming mail that
isn't destined for a user on mothra.
Yes, I know it's mothra which is the problem. I just don't want ywing/xwing to
end up being problems, too. Sometimes these relay harvesters add all the systems
to blacklists they see in the relay chain. Mothra used to use xwing/ywing as
outbound relays and we can't risk those going to the blacklist.

This is just a precaution because it might take a while to fix mothra.

Dave, no it's not relaying out through gila (except that I had it that way for 5
minutes and then I put it back to send emails out directly. We don't want gila
to blacklists either). It relayed your email through gila because you said
"@mozilla.org".

Take a look at this example:

Mar 14 19:09:30 mothra.mozilla.org sendmail[7441]: TAA07439: to=rko@iki.fi,
ctladdr=root (0/1), delay=00:00:38, xdelay=00:00:38, mailer=esmtp,
relay=mail.iki.fi. [212.16.100.1], stat=Sent (FAA04010 Message accepted for
delivery)
Mar 14 19:37:03 mothra.mozilla.org sendmail[9590]: TAA09544:
to=<@rko.iki.fi:rkotalampi@aol.com>, delay=00:00:42, xdelay=00:00:01,
mailer=esmtp, relay=rko.iki.fi. [63.193.121.247], stat=User unknown


Here's better example of email which was actually delivered to risto@kotalampi.com:

Mar 14 19:52:50 mothra.mozilla.org sendmail[10562]: TAA10562: from=<rko@iki.fi>,
 size=17, class=0, pri=30017, nrcpts=1,
msgid=<200203150352.TAA10562@mothra.mozilla.org>, proto=SMTP,
relay=adsl-63-193-121-247.dsl.snfc21.pacbell.net [63.193.121.247]

Mar 14 19:52:51 mothra.mozilla.org sendmail[10594]: TAA10562:
to=<@kotalampi.com:risto@kotalampi.com>, delay=00:00:38, xdelay=00:00:01,
mailer=esmtp, relay=sdxl.org. [63.193.121.247], stat=Sent (2.0.0 g2F3oFJ11959
Message accepted for delivery)
the @mozilla.org trick is exactly what ORBZ does in their test emails (that's
where I got the idea from).  So gila is still going to end up on the blacklists
like this (or any other server someone decides to put in the alternate routing
based on the examples you just posted).

It's bad practice to allow an externally accessible email server to accept mail
with alternate routing, because the primary use of it these days is for a
spammer to trick your server into relaying (just like this).
*** Bug 131305 has been marked as a duplicate of this bug. ***
.. and gila is now blocked as an output.

http://orbz.org/b.php?207.200.81.215
gila is now blacklisted on spamcop as well:

http://spamcop.net/bl.shtml?207.200.81.215

We're getting multiple complaints from Bugzilla users about not receiving their
bugmail...
Severity: critical → blocker
It appears that gila is on spamcop because gila is stripping all received lines
on mail it sends out (or, if this started from news and got converted to mail by
the gateway, maybe its just the first one in the list)

So spamcop sees gila.m.o as the source of all this spam and blocks it because of
the ammount of spam coming from that server.

See bug 63735 and http://spamcop.net/w3m?action=checkblock&ip=207.200.81.215

Being listed as an orbz output now won't helpmatters, either
FYI, the listing for mothra now lists the following:

Associated Outputs
204.29.187.151
207.200.81.215

204.29.187.151 = ywing.aoltw.net

If I look it up directly it's not showing up on the list, but because of the
above association it very likely will very soon.
Sorry, but is there a chance for fixing it soon? I miss the post for 3 days now.
It's like living without knowing what is going on on the planet... :(

BTW will I recieve all unresived messages?

Tnx.
Eugene: blocking of mail based on DNSBL lists like ORBZ is done by the
recipient's ISP.  You would need to ask your ISP about that.  It's very likely
if you didn't receive it that they either tossed it in the bit bucket or bounced
it back to mozilla.org (which would have just tossed it in the bit bucket). 
It's very unlikely that an ISP would choose to cache those emails in case the
blacklisting was removed.
spamcop is listing gila because of it's news gateway which is probably throwing 
a lot of spams out. That is not mothra's fault AFAIK.

I still don't understand why gila or ywing/xwing would be on any of open relays 
lists. mothra sends emails out directly nowadays - it's not using gila nor 
xwing/ywing as relays.

gila was the relay temporarily, I thought (see comment 6), and ywing was for the
past several years at least. Theres a box on the orbz page to get the server
retested - if ywing/gila don't have the same problem which mothra has, you could
submit it to that. Not sure if that clears outputs - they may only be cleared
once the original input is cleared.

If those machines do have the problem, then submitting it for a retest will get
it blocked on the inputs link, too, which you probably don't want...
upgraded sendmail on mothra. This should fix the problem for now. I'll try
resubmitting mothra on orbz.

test
orbz says we're clean now :)

ORBZ Database Information
IP: 207.200.81.216
State: clean
Listed in inputs: no
Listed in outputs: no
(What's the difference between inputs and outputs?)
Last Test: 2002-03-18 20:41:29 UTC
Last Test Result: all probes refused
---------------------------------------------------------
=========================================================
See any known spam from this host (off-site link)
(SpamCop reports have no bearing whatsoever on ORBZ listings)
=========================================================
Direct DNS Lookups
ORBZ DNS lookups lag behind database information.
inputs.orbz.org: listed (Open relay input.  See http://orbz.org/?207.200.81.216)
outputs.orbz.org: clean
relays.ordb.org: clean
orbs.dorkslayers.com: clean
dev.null.dk: clean
relays.osirusoft.com: clean
bl.spamcop.net: clean
relays.visi.com: clean
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Yes, the server is out of orbz now. My ISP's mailserver doesn't tag bugmail as
spam anymore.
Status: RESOLVED → VERIFIED
dave@pismo [21:37 ~ 151] tcsh> nslookup 216.81.200.207.inputs.orbz.org
Server:  router.hollar.lan
Address:  192.168.1.254

*** router.hollar.lan can't find 216.81.200.207.inputs.orbz.org: Non-existent
host/domain


Confirmed.

Thanks Mark!
I still don't get any bugmail and my ISP says it is not its fault.
yes, it is your isp's fault. they're still blocking our mail despite (or
because of) the fact that orbz no longer exists.
http://derf.cc/orbz_shutdown.txt
http://slashdot.org/article.pl?sid=02/03/20/1528246&mode=thread

there are a whopping 76K deferred messages for you in our current syslog
starting may 17. Here is the most recent. I should delete your mail
from the queue. Mothra has better things to do that argue with your 
isp.

Mar 21 18:03:25 mothra.mozilla.org sendmail[29181]: g2K5Ecu10515:
to=mozbug@durys.net, ctladdr=nobody (60001/60001), delay=1+20:48:47,
xdelay=00:00:01, mailer=esmtp, pri=54030616, relay=mx1.ovh.net. [213.186.33.29],
dsn=4.3.0, stat=Deferred: 451 Open relay.  Please see
http://orbz.org/?207.200.81.216
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.